NSA surveillance retrospective: AT&T, Verizon never denied it

Blanket denials from Microsoft, Google, and Facebook -- and efforts to clear their names -- are the opposite of what AT&T and Verizon did in response to reports saying they opened their systems to the National Security Agency.

AT&T facility at 611 Folsom Street in San Francisco, which a former technician revealed included a "splitter cabinet" that diverted Internet traffic to the National Security Agency. The company never denied it.
Declan McCullagh

When Internet companies were recently accused of allowing the National Security Agency direct access to their servers, they strenuously denied it. But when AT&T was accused of allowing the NSA direct access to its network, it did the opposite.

Mark Klein, who worked as an AT&T technician for over 22 years, disclosed in 2006 (PDF) that he met with NSA officials and witnessed domestic Internet traffic being "diverted" through a "splitter cabinet" to secure room 641A in one of the company's San Francisco facilities. Only NSA-cleared technicians were allowed to work on equipment in the SG3 secure room, Klein said, adding that he was told similar taps existed in other major cities.

AT&T never denied it. Instead, in defending a lawsuit brought by the Electronic Frontier Foundation, the company sought to downplay the reasons NSA-controlled hardware existed on its network.

In May 2006, CNET obtained an improperly redacted PDF document (PDF) that AT&T's lawyers filed in that lawsuit. The redacted portions argued: "Although the plaintiffs ominously refer to the equipment as the 'Surveillance Configuration,' the same physical equipment could be utilized exclusively for other surveillance in full compliance with" the Foreign Intelligence Surveillance Act.

CNET asked AT&T at the time: "Have you turned over information or opened up your networks to the NSA without being compelled by law?" A company spokesman would not answer the question.

A few months later, Justice Department attorneys told a federal judge (PDF) that AT&T can "neither confirm nor deny whether it was indeed cooperating with the NSA."

EFF

That's the opposite of what Internet companies including Microsoft, Google, and Facebook have done since initial reports -- which have since been shown to be incorrect -- in The Washington Post and Guardian newspapers alleged the NSA had "direct access" to the companies' servers. (The Post's editorial board yesterday acknowledged there was nothing untoward going on.)

Not only have the tech companies denied allegations of NSA access, they've done so at great length.

Facebook CEO Mark Zuckerberg provided a categorical denial, including saying that "we have never received a blanket request or court order from any government agency asking for information or metadata in bulk." Google CEO Larry Page said flatly that "the U.S. government does not have direct access or a 'back door' to the information stored in our data centers." Apple, Yahoo, and Microsoft have made similar statements.

Google's chief legal officer, David Drummond, gave lengthy interviews yesterday to PBS Newshour and Fox News describing how the company complies with legal orders. CNET was the first to disclose last month that Google is currently fighting the FBI over the legality of secret "national security letters" in court in New York and San Francisco.

In addition, it turned out that the so-called PRISM program is not the name of a spy program after all: It's the name of an internal NSA software tool that's used to collate data collected through a legal process created by Congress in 2008 and last renewed in December 2012. That "702" process, overseen by the Foreign Intelligence Surveillance Court, the Justice Department, and Congress, requires companies to comply with orders for information on non-U.S. citizens in investigations related to "prevention of terrorism, hostile cyberactivities, or nuclear proliferation."

That seems to be why Sen. Al Franken, a Minnesota Democrat who chairs a Senate privacy subcommittee and has a reputation as an outspoken privacy advocate and critic of Silicon Valley companies, told CBS affiliate WCCO that he had been briefed on the 702 process and has no privacy concerns. "I can assure you that this isn't about spying on the American people," Franken said.

The Internet companies have asked Attorney General Eric Holder to lift secrecy restrictions on 702 orders so they can clear their name, in part by disclosing how many records they have turned over in response to legal process. Google sent an open letter to Holder yesterday, and Facebook and Microsoft have also asked the Justice Department for permission to divulge summary statistics. Holder has not responded.

By contrast, AT&T never asked for permission to disclose NSA surveillance. Instead, Deputy Assistant Attorney General Carl Nichols said during a 2006 court hearing in San Francisco that a discussion of all the "facts" about NSA surveillance could only happen in a classified setting. The Bush administration asked that the case be tossed out on "state secrets" grounds.

James Bamford, in his 2008 book "The Shadow Factory," described AT&T's participation in Bush's warrantless wiretapping program as:

For decades, AT&T and much of the rest of the telecommunications industry have had a very secret, very cozy relationship with the NSA... [NSA Director Michael Hayden] succeeded in gaining the secret cooperation of nearly all of the nation's telecommunications giants for his warrantless eavesdropping program. Within a year, engineers were busy installing highly secret, heavily locked rooms in key AT&T switches, among them Bridgeton, New York City, and the company's major West Coast central office in San Francisco. From then on the data -- including both address information and content -- would flow through the PacketScopes directly to the NSA.

Verizon, too, never sent an open letter to the federal government asking that a gag order be lifted. The company secretly hands the NSA daily logs of all customers' phone calls, according to a court order that the Guardian published last week. When USA Today disclosed this program in 2006, saying that NSA was vacuuming up phone logs, Verizon didn't deny it. Instead, a spokesman told the newspaper only that "we do not comment on national security matters."

The Bush administration confirmed the existence of warrantless wiretapping with the help of telecommunications companies when it asked Congress to grant retroactive immunity to the providers that participated. Sen. John Rockefeller (D-W.Va.), the Intelligence Committee's chairman at the time, said the providers "should not be penalized for their willingness to heed the call during a national emergency" -- despite the fact that any "emergency" by then would have lasted over six years.

A 2009 book on the NSA titled "The Secret Sentry," by Matthew Aid, suggested that executives at AT&T and the other telecommunications providers knew they were violating criminal wiretapping laws. Aid wrote:

As one NSA retiree put it, "why then would they need immunity if what they did was legal?" After reading a spate of newspaper reports on the subject, a disgusted NSA official said, "They keep trying to give the telecoms a 'Get Out of Jail Free' card. That tells me there is something illegal about what the companies have been doing. [The immunity deal] stinks to high heaven."

Retroactive immunity -- which was supported by then-Sen. Barack Obama despite his earlier statements to CNET to the contrary -- finally became law in July 2008.

About the author

Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
See full bio